Created attachment 8768 [details] Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter) I'm sorry, but the 'acl:search=no' workaround is still required and not fully fixed. Yesterday we switched to 4.0.5 and I run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all my ACLs. Then I recreated the delegation, so members of a group can join computers to the domain without having domain admin permissions (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Add_delegation). The join as a member of that group worked as expected. Then I removed the 'acl:search=no' parameter from smb.conf and restarted samba. Now XP says, when trying to join, 'access denied' and Win7 says 'wrong parameter' and the joins didn't work. After I add the parameter again to smb.conf, the join worked fine again.
As I indicated on the lists, we really need a concrete test (modification to acl.py hopefully) that fails against Samba and passes against Windows, in order to make progress here.
Without the 'acl:search=no' parameter in my domain, I found that 'samba-tool ldapcmp' fails between domain controllers. This is samba version 4.9.6. If there is any additional information or testing I could provide, please let me know.